Symptom
Zebra printer devices unable to connect to wireless. Client not passing the authenticating state.
Wireless controller sending deleting reason: CO_CLIENT_DELETE_REASON_KEY_XCHNG_TIMEOUT.
AP re-transmitting the M1 message, never receiving the M2 for PSK.
AP tells it sends EAP iden req but never recieves reply for dot1x
OTA packet capture confirms the client sends correct the M2 but AP does not process. Or that AP does not even sends M1 or EAP iden req over the air altough debug trace shows it does.
Conditions
Noticed on version 17.9.2, 17.9.3
Problem affects AP models 9130, 9136, 916x only, other similar models like 9120 are not affected.
Affecting Zebra printers or devices that send a VHT 0x0 IE during assoc or reassoc req.
Most clients are able to connect but the mentioned, this can be confirmed with a OTA at the same time as debug run on AP.
kernel: [date] [AP] [clientMAC] [U:W] EAPOL_START
kernel:[date] [AP] [clientMAC] [U:E] EAPOL_START
kernel: [date] [AP] [clientMAC] [D:E] EAP_PACKET.Request : Id 0x01 type 1 Identity
kernel: [date] [AP] [clientMAC] [D:W] EAP_PACKET.Request : Id 0x01 type 1 Identity
kernel: [date] [AP] [clientMAC] [D:E] EAP_PACKET.Request : Id 0x01 type 1 Identity
kernel: [date] [AP] [clientMAC] [D:W] EAP_PACKET.Request : Id 0x01 type 1 Identity
It would appear like AP receives from cable [D:E] EAP req and sends it over the air [D:W] however OTA confirms this is not happening. this is one example scenario
Workaround
IOS XE 17.9.1 not affected
Further Problem Description
This is a regression caused by the commit of CSCwc74679 in 17.9.2, 17.10 and 17.11. CSCwe66515 addresses the client connection problem by backing out the CSCwc74679 fix.
